Home / malware TrojanDownloader:O97M/Tarbir
First posted on 12 January 2015.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:O97M/Tarbir.
Explanation :
Threat behavior
Installation
This threat is a malicious macro script for Microsoft Office files. The macro can download and run other malware on your PC.
It can be installed when you open an attachment to a spam email that claims to be about a purchase, invoice or product order. For example, we have seen this threat attached to spam emails with the following subjects:
- Payment Details €“
, for example Payment Details €“ P97291 - Order €“
, for example Order €“ Y24383 - Invoice €“
, for example Invoice €“ P97291
The attachment is usually a Word document (.doc file). We have seen it use the following names:
- BILLING DETAILS_
.doc, for example BILLING DETAILS_9879.doc - ORDER INFO_
.doc, for example ORDER INFO_7702
Payload
Downloads other malware
The infected .doc files contain a malicious macro script that, when opened, can download and run other malware onto your PC.
The malware uses social engineering tactics to try to get you to enable macro scripting when you view the document, as macro scripts are usually disabled by default in Microsoft Office.
We have seen the malware uses the following fake warnings in an attempt to get you to enable macros:
If macros are enabled the trojan tries to connect to the following URL:
- isolectra.com.sg/
/ .exe - lynxtech.com.hk/
/ .exe
We have seen it download TrojanDownloader:Win32/Drixed.B to %APPDATA%\Local\Temp\444.exe.
Analysis by Patrick Estavillo
Symptoms
Alerts from your security software might be the only symptom.
Last update 12 January 2015
